The problem with Amazon is that while I know for a fact that they have really great security ... there's no way, as a tenant, for me to prove that.
Edward HaletkyCEO of the Virtualization Practice

"Data encryption at rest is always a good thing, and it's great to see that EBS is now on par with S3 in terms of server-side encryption," said Brian Schott, CTO for Nimbis Services Inc., a systems integrator in McLean, Virginia that serves Department of Defense component suppliers. "Many cloud deployers manage their own encrypted EBS data volumes using [the] Linux [utility] dm-crypt, but it is particularly difficult to encrypt the root volume and still be able to boot the system securely."

While EBS encryption is another step forward, key management is the main issue for AWS customers going forward, security experts said.

EBS encryption uses AWS managed keys but other services allow customers to retain control, such as CloudHSM, which can be used with applications on EC2 or with Amazon Redshift.

Though perhaps convenient for some, security-conscious customers will want to manage their own keys, according to Edward Haletky, CEO of the Virtualization Practice LLC based in Austin, Texas.

Customers still have the option to apply their own encrypted file system to AWS storage for control over encryption keys, but it's not ideal, according to Schott.

"This involves a high degree of system orchestration," he said. "Furthermore, relying on key storage in the [file system] metadata service is like leaving your front door key under the mat."

More on the cloud security to-do list

While it's a good move for Amazon to bring EBS up to speed with the rest of its storage offerings through encryption at rest, security experts would like to see a bigger shift in how AWS does security that would give tenants more control.

Tenants must be able to encrypt at the virtual machine (VM) level, and have more comprehensive audit capabilities within AWS, according to Haletky.

"When [Amazon] decrypts data, they read the key out of the [Hardware Security Module]… that readout means the key is somewhere in memory, but not on the virtual machine, it's in the host,” Haletky said.

Since Amazon owns the host, that makes it harder to crack the encryption key, "but it would be nice if they did it higher in the stack," Haletky said. "It's not just the disks you need to encrypt, it's the memory you need to encrypt to go even further. … If you break into the VM, that data is still unencrypted."

AWS also offers auditing capabilities for compliance-conscious customers with its CloudTrail service, which tracks application performance interface calls made by a given AWS account, but that could go further, Haletky said.

Automated logging of activity on the host would go a long way toward settling cloud security and compliance concerns in the AWS cloud, Haletky said. AWS customers would know whether the server or an AWS admin had accessed encryption keys and what was decrypted, for example.

"The problem with Amazon is that while I know for a fact that they have really great security … there's no way, as a tenant, for me to prove that," he said.

5 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

A very good service to offer for encryption of data at rest. Now the security depends on the HSM which stores the key. If we look at the 4 main layers, Storage, VM, OS and application and the underlying network. AWS has to see that these layers are secure from the customer point of view. They should tell or offer their customers to see:- how they ensure security in storage- security in the VM administration- security in OS- Vulnerability management- change management- patch management- security for multi-tennents - event management- get audited and share audit reports- etc

AWS has to show that they are open to their customers and are providing a customer friendly service.

they should support the KMIP key management standard so that enterprises can own their own keys and deliver them tho the cloud when requested by the EBS decryption agent. Not perfect but better than leaving keys in the cloud.

Thanks for your comments! azahmad, do you think it's likely they'd reach that level of transparency with customers? And rmoulds, why KMIP in particular? How would that be an improvement over their existing CloudHSM?

I think Amazon can only do so much...much of the responsibility lies on the businesses who host their applications/systems in AWS. I've tested several environments hosted there that had numerous security vulnerabilities (including some I rated as 'critical'). You can never assume that just because you're using the big boys to host your environment that everything will be safe and sound. In the end, such providers are in the business of uptime, not security.